setuid of executables

Jate Sujjavanich Fri, 19 Feb 2021 09:53:53 -0800

Limit setcap search to PATH for cross builds preventing host
contamination. Add DEPENDS for libcap-native to supply this for
PACKAGECONFIG libcap.


The previous setting of NO_SETCAP_OR_SUID broke setuid or setcap of
/bin/ping and other executables.

Signed-off-by: Jate Sujjavanich <jate...@gmail.com>
---
 ...tcap-search-to-PATH-for-cross-builds.patch | 33 +++++++++++++++++++
 .../iputils/iputils_s20200821.bb              |  3 +-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-extended/iputils/iputils/0001-Limit-setcap-search-to-PATH-for-cross-builds.patch

diff --git 
a/meta/recipes-extended/iputils/iputils/0001-Limit-setcap-search-to-PATH-for-cross-builds.patch
 
b/meta/recipes-extended/iputils/iputils/0001-Limit-setcap-search-to-PATH-for-cross-builds.patch
new file mode 100644
index 0000000000..b09cdb5f13
--- /dev/null
+++ 
b/meta/recipes-extended/iputils/iputils/0001-Limit-setcap-search-to-PATH-for-cross-builds.patch
@@ -0,0 +1,33 @@
+From aedb7811d1e9b0eae5d33b5bed39f6219a06a8dc Mon Sep 17 00:00:00 2001
+From: Jate Sujjavanich <jate...@gmail.com>
+Date: Thu, 18 Feb 2021 21:35:03 -0500
+Subject: [PATCH] Limit setcap search to PATH for cross builds
+
+Upstream-Status: Pending
+---
+ meson.build | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index aff75a2..16bbfb6 100644
+--- a/meson.build
++++ b/meson.build
+@@ -215,7 +215,14 @@ config_h = configure_file(
+       output : 'config.h',
+       configuration : conf)
+ 
+-setcap = find_program('setcap', '/usr/sbin/setcap', '/sbin/setcap', required 
: false)
++if meson.is_cross_build()
++      message('limit setcap search to PATH')
++      path_setcap = ['setcap']
++else
++      message('search for setcap in PATH and admin dirs')
++      path_setcap = ['setcap', '/usr/sbin/setcap', '/sbin/setcap']
++endif
++setcap = find_program(path_setcap, required : false)
+ if cap_dep.found() and setcap.found()
+       perm_type = 'caps'
+       setcap_path = setcap.path()
+-- 
+2.30.0
+
diff --git a/meta/recipes-extended/iputils/iputils_s20200821.bb 
b/meta/recipes-extended/iputils/iputils_s20200821.bb
index 8b63a23c61..31fe1acdaf 100644
--- a/meta/recipes-extended/iputils/iputils_s20200821.bb
+++ b/meta/recipes-extended/iputils/iputils_s20200821.bb
@@ -12,6 +12,7 @@ DEPENDS = "gnutls"
 
 SRC_URI = "git://github.com/iputils/iputils \
            file://0001-rarpd-rdisc-Drop-PrivateUsers.patch \
+           file://0001-Limit-setcap-search-to-PATH-for-cross-builds.patch \
            "
 SRCREV = "23c3782ae0c7f9c6ae59dbed8ad9204f8758542b"
 
@@ -26,7 +27,7 @@ CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214"
 PACKAGECONFIG ??= "libcap rarpd \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ninfod 
traceroute6', '', d)} \
                    ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
-PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap"
+PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap libcap-native"
 PACKAGECONFIG[libidn] = "-DUSE_IDN=true, -DUSE_IDN=false, libidn2"
 PACKAGECONFIG[gettext] = "-DUSE_GETTEXT=true, -DUSE_GETTEXT=false, gettext"
 PACKAGECONFIG[ninfod] = "-DBUILD_NINFOD=true,-DBUILD_NINFOD=false,"
-- 
2.25.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#148358): 
https://lists.openembedded.org/g/openembedded-core/message/148358
Mute This Topic: https://lists.openembedded.org/mt/80761492/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH v3 2/2] iputils: Fix setcap/setuid of executables

Reply via email to